Splunk Search
Highlighted

Search for Users that have not Logged-in in the Last 30 Days

Builder

I need to create a search that will look back over the last year and list all users that have not logged into a webserver. I was thinking about running a search that normalized, deduped, and listed all users in a table. Then I wanted to run a search against the table for all users with timestamps older than 30 days. I have the first part working, but not the search against the table. Any help would be appreciated.

sourcetype=webserver auditevent=AUTHNSUCCESS tag=prod | eval username=lower(username) | dedup username | table _time username | search _time>-30d

Tags (3)
0 Karma
Highlighted

Re: Search for Users that have not Logged-in in the Last 30 Days

SplunkTrust
SplunkTrust

Try this

sourcetype=webserver audit_event=AUTHN_SUCCESS tag=prod | eval username=lower(username) | dedup username | table _time username | eval age_days=(now()-_time)/(60*60*24) | where age_days > 30

View solution in original post

Highlighted

Re: Search for Users that have not Logged-in in the Last 30 Days

Builder

Thanks! This worked for me.

0 Karma